Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 Anasazi

Anasazi

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:25 AM

Posted 28 May 2008 - 04:56 PM

Ok, I uploaded the info on the notepad. Please let me know if you need further info, thanks.

Attached Files

  • Attached File  main.txt   16.17KB   12 downloads


BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:25 AM

Posted 29 May 2008 - 04:29 AM

Hello Anasazi and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Anasazi

Anasazi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:25 AM

Posted 30 May 2008 - 08:12 AM

Thunder, Thanx. The malwarebytes program removed the virus/pop-up but I still can't access any of my folders or files. When I get some time today I'll run the combofix. It looks rather lengthy.

Sorry for the late reply, I was gonna post yesterday and couldn't even find the thread on this forum.


Malwarebytes' Anti-Malware 1.12
Database version: 797

Scan type: Quick Scan
Objects scanned: 37147
Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP SecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowNetPlaces (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\XPSecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\data (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\XPSecurityCenter\htmlayout.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\install.exe (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\pthreadVC2.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\un.ico (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\unzip32.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\data\daily.cvd (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\Uninstall.lnk (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winivstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:25 AM

Posted 30 May 2008 - 09:23 AM

Hello Anasazi,

At the beginning of the thread, right upper corner, just below the Add reply and New topic buttons,
you'll find an "Options" button.
First option you'll get when clicking this button is Track this topic.
If you specify fi. "Immediate Email Notification", you'll get an email containing the link t your topic,
as soon as I've replied to you. :thumbsup:

Oh, and running ComboFix is less complicated and lenghty than it looks. :)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Anasazi

Anasazi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:25 AM

Posted 30 May 2008 - 11:25 AM

Thunder, I'm learning how to navigate this forum. I'm not used to the software on this type of forum. I have my own forum using WebX software.

Anyway, I ran combofix and here is the log. Not sure what to make of it. Let me know.

Thanx again in advance.

ComboFix 08-05-29.1 - Anasazi James 2008-05-30 10:44:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.236 [GMT -5:00]
Running from: C:\Documents and Settings\Anasazi James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anasazi James\Desktop\WinXP_EN_HOM_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 10:44 . 2008-05-30 10:44 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-05-30 09:03 . 2008-05-30 09:03 <DIR> d-------- C:\WINDOWS\system32\N360_BACKUP
2008-05-29 09:33 . 2008-05-29 09:38 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-29 09:32 . 2008-05-29 09:33 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-05-29 08:23 . 2008-05-29 08:23 <DIR> d-------- C:\Documents and Settings\\Application Data\Malwarebytes
2008-05-29 08:22 . 2008-05-29 08:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 08:22 . 2008-05-29 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 08:22 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 08:22 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 16:31 . 2008-05-28 16:31 <DIR> d-------- C:\Deckard
2008-05-28 15:37 . 2008-05-28 15:37 3,078 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-28 15:27 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-28 15:27 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-28 15:27 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-28 15:27 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-28 15:27 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-28 15:27 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-28 15:27 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-28 15:27 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-28 14:49 . 2008-05-28 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 16:24 . 2008-05-26 16:24 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-26 16:24 . 2008-05-28 17:19 <DIR> d-------- C:\Program Files\Norton 360
2008-05-26 16:21 . 2008-05-26 16:27 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-26 16:21 . 2008-05-26 16:27 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-26 16:00 . 2008-05-26 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-05-26 15:30 . 2008-05-26 15:30 <DIR> d-------- C:\Documents and Settings\Anasazi James\Application Data\SiteAdvisor
2008-05-26 15:16 . 2008-05-26 15:16 19,751 --a------ C:\WINDOWS\yseba._sy
2008-05-26 15:16 . 2008-05-26 15:16 19,289 --a------ C:\Program Files\Common Files\vudig.dll
2008-05-26 15:16 . 2008-05-26 15:16 19,185 --a------ C:\Documents and Settings\Anasazi James\Application Data\uluwev.reg
2008-05-26 15:16 . 2008-05-26 15:16 18,301 --a------ C:\Program Files\Common Files\ryhubiwur.com
2008-05-26 15:16 . 2008-05-26 15:16 17,203 --a------ C:\WINDOWS\sujyzesor.scr
2008-05-26 15:16 . 2008-05-26 15:16 16,366 --a------ C:\Program Files\Common Files\zifasacivy.dat
2008-05-26 15:16 . 2008-05-26 15:16 15,131 --a------ C:\Program Files\Common Files\iletekumer.exe
2008-05-26 15:16 . 2008-05-26 15:16 13,610 --a------ C:\WINDOWS\boqewat.vbs
2008-05-26 15:16 . 2008-05-26 15:16 12,899 --a------ C:\Documents and Settings\All Users\Application Data\tety.vbs
2008-05-26 15:16 . 2008-05-26 15:16 12,857 --a------ C:\Documents and Settings\All Users\Application Data\esabofula.dll
2008-05-26 15:16 . 2008-05-26 15:16 11,149 --a------ C:\WINDOWS\system32\uxedaxe.sys
2008-05-26 15:16 . 2008-05-26 15:16 11,010 --a------ C:\WINDOWS\sanunijag.scr
2008-05-26 15:16 . 2008-05-26 15:16 10,210 --a------ C:\WINDOWS\hovos.vbs
2008-05-26 08:44 . 2008-05-26 08:44 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-14 19:34 . 2008-05-14 19:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-14 19:34 . 2008-05-14 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 10:17 . 2008-04-27 10:17 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-24 17:05 . 2008-04-24 17:05 22,333 --a------ C:\Addendum I.docx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 15:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-30 15:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-30 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 18:12 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-27 16:08 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-05-26 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 21:47 --------- d-----w C:\Documents and Settings\Joe bleep the Rag Man\Application Data\Symantec
2008-05-26 21:27 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-26 21:27 --------- d-----w C:\Program Files\Symantec
2008-05-26 21:19 --------- d-----w C:\Program Files\McAfee
2008-05-26 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-26 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-15 00:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 00:55 --------- d-----w C:\Program Files\Java
2008-04-27 15:20 --------- d-----w C:\Program Files\Real
2008-04-27 15:15 --------- d-----w C:\Program Files\Common Files\Real
2001-12-15 02:56 17,408 --sha-w C:\Program Files\Thumbs.db
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-18 07:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-11-19 06:40 1413120]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-18 07:00 31744 C:\WINDOWS\system32\rundll32.exe]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 13:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 07:07 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-03-23 15:47 1111040]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-27 10:12 185896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 14:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 09:50 988512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 17:02 152952]
"Symantec NetDriver Warning"="C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE" [2004-05-09 01:15 91256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2001-08-18 07:00 63488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 17:24:36 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 SonyFKC;FAN and Keyboard Control Service;C:\WINDOWS\System32\Drivers\SonyFKC.sys [2001-12-06 12:49]
R2 V7;V7;C:\WINDOWS\System32\drivers\V7.sys [2000-03-09 11:24]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys [2001-08-17 15:11]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINDOWS\System32\Drivers\SMBE.SYS [2001-09-21 19:16]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;C:\WINDOWS\System32\DRIVERS\sacmxp2.sys []

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 10:53:16
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-05-30 11:03:57 - machine was rebooted []
ComboFix-quarantined-files.txt 2008-05-30 16:03:45

Pre-Run: 1,531,023,360 bytes free
Post-Run: 1,437,982,720 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

170 --- E O F --- 2008-05-29 20:41:38

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:25 AM

Posted 31 May 2008 - 05:43 AM

Hello Anasazi,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/149377/spyware-virus/
Collect::[9]
C:\WINDOWS\yseba._sy
C:\Program Files\Common Files\vudig.dll
C:\Documents and Settings\Anasazi James\Application Data\uluwev.reg
C:\Program Files\Common Files\ryhubiwur.com
C:\WINDOWS\sujyzesor.scr
C:\Program Files\Common Files\zifasacivy.dat
C:\Program Files\Common Files\iletekumer.exe
C:\WINDOWS\boqewat.vbs
C:\Documents and Settings\All Users\Application Data\tety.vbs
C:\Documents and Settings\All Users\Application Data\esabofula.dll
C:\WINDOWS\system32\uxedaxe.sys
C:\WINDOWS\sanunijag.scr
C:\WINDOWS\hovos.vbs

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Anasazi

Anasazi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:25 AM

Posted 31 May 2008 - 09:57 AM

Thunder,

All combofix did was display the log. I don't know anything about this: "A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip."

Yes, I'm still having problems with my computer. I believe its a bug in microsoft. I still can't open any of my files and I rely on my computer for school. When I go to uninstall Microsoft Office I get a pop up window that say's, "The specific progam requires a newer version of windows." I uninstalled a service pack 3 earlier this week when attempting to fix the original virus and it made things more difficult when I attempted to reinstall microsoft updates. I'm still working on trying to fix this microsoft problem. A few days ago I couldn't even update any installs from the microsoft website. I'll try it again, maybe the IE7 browser might work with Office? I did have it installed earlier although I'm not too crazy about it.

Also when I click on the Office icon on my desktop I get a pop up that reads: "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix the problem." MMMmmmm..heh, its what I've been trying to do all week.

#8 Anasazi

Anasazi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:25 AM

Posted 31 May 2008 - 09:59 AM

ComboFix 08-05-29.1 - Anasazi James 2008-05-31 8:08:34.2 - NTFSx86
Running from: C:\Documents and Settings\Anasazi James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anasazi James\Desktop\CFScript.lnk
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 09:03 . 2008-05-30 09:03 <DIR> d-------- C:\WINDOWS\system32\N360_BACKUP
2008-05-29 09:33 . 2008-05-29 09:38 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-29 09:32 . 2008-05-29 09:33 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-05-29 08:23 . 2008-05-29 08:23 <DIR> d-------- C:\Documents and Settings\Anasazi James\Application Data\Malwarebytes
2008-05-29 08:22 . 2008-05-29 08:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 08:22 . 2008-05-29 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 08:22 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 08:22 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 16:31 . 2008-05-28 16:31 <DIR> d-------- C:\Deckard
2008-05-28 15:37 . 2008-05-28 15:37 3,078 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-28 15:27 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-28 15:27 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-28 15:27 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-28 15:27 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-28 15:27 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-28 15:27 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-28 15:27 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-28 15:27 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-28 14:49 . 2008-05-28 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 16:24 . 2008-05-26 16:24 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-26 16:24 . 2008-05-28 17:19 <DIR> d-------- C:\Program Files\Norton 360
2008-05-26 16:21 . 2008-05-26 16:27 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-26 16:21 . 2008-05-26 16:27 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-26 16:00 . 2008-05-26 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-05-26 15:30 . 2008-05-26 15:30 <DIR> d-------- C:\Documents and Settings\Anasazi James\Application Data\SiteAdvisor
2008-05-26 15:16 . 2008-05-26 15:16 19,751 --a------ C:\WINDOWS\yseba._sy
2008-05-26 15:16 . 2008-05-26 15:16 19,289 --a------ C:\Program Files\Common Files\vudig.dll
2008-05-26 15:16 . 2008-05-26 15:16 19,185 --a------ C:\Documents and Settings\Anasazi James\Application Data\uluwev.reg
2008-05-26 15:16 . 2008-05-26 15:16 18,301 --a------ C:\Program Files\Common Files\ryhubiwur.com
2008-05-26 15:16 . 2008-05-26 15:16 17,203 --a------ C:\WINDOWS\sujyzesor.scr
2008-05-26 15:16 . 2008-05-26 15:16 16,366 --a------ C:\Program Files\Common Files\zifasacivy.dat
2008-05-26 15:16 . 2008-05-26 15:16 15,131 --a------ C:\Program Files\Common Files\iletekumer.exe
2008-05-26 15:16 . 2008-05-26 15:16 13,610 --a------ C:\WINDOWS\boqewat.vbs
2008-05-26 15:16 . 2008-05-26 15:16 12,899 --a------ C:\Documents and Settings\All Users\Application Data\tety.vbs
2008-05-26 15:16 . 2008-05-26 15:16 12,857 --a------ C:\Documents and Settings\All Users\Application Data\esabofula.dll
2008-05-26 15:16 . 2008-05-26 15:16 11,149 --a------ C:\WINDOWS\system32\uxedaxe.sys
2008-05-26 15:16 . 2008-05-26 15:16 11,010 --a------ C:\WINDOWS\sanunijag.scr
2008-05-26 15:16 . 2008-05-26 15:16 10,210 --a------ C:\WINDOWS\hovos.vbs
2008-05-26 08:44 . 2008-05-26 08:44 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-14 19:34 . 2008-05-14 19:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-14 19:34 . 2008-05-14 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 10:17 . 2008-04-27 10:17 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-24 17:05 . 2008-04-24 17:05 22,333 --a------ C:\Addendum I.docx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 13:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-30 15:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-30 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 18:12 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-27 16:08 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-05-26 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 21:47 --------- d-----w C:\Documents and Settings\Anasazi James\Application Data\Symantec
2008-05-26 21:27 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-26 21:27 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-26 21:27 --------- d-----w C:\Program Files\Symantec
2008-05-26 21:19 --------- d-----w C:\Program Files\McAfee
2008-05-26 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-26 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-15 00:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 00:55 --------- d-----w C:\Program Files\Java
2008-04-27 15:20 --------- d-----w C:\Program Files\Real
2008-04-27 15:15 --------- d-----w C:\Program Files\Common Files\Real
2008-04-27 15:13 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-27 15:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-25 04:50 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
2008-02-20 01:06 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-20 01:06 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2001-12-15 02:56 17,408 --sha-w C:\Program Files\Thumbs.db
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-30_11.03.18.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 15:52:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-31 11:57:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-31 11:57:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_548.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-18 07:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-11-19 06:40 1413120]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-18 07:00 31744 C:\WINDOWS\system32\rundll32.exe]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 13:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 07:07 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-03-23 15:47 1111040]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-27 10:12 185896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 14:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 09:50 988512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 17:02 152952]
"Symantec NetDriver Warning"="C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE" [2004-05-09 01:15 91256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2001-08-18 07:00 63488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 17:24:36 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 SonyFKC;FAN and Keyboard Control Service;C:\WINDOWS\System32\Drivers\SonyFKC.sys [2001-12-06 12:49]
R2 V7;V7;C:\WINDOWS\System32\drivers\V7.sys [2000-03-09 11:24]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys [2001-08-17 15:11]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINDOWS\System32\Drivers\SMBE.SYS [2001-09-21 19:16]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;C:\WINDOWS\System32\DRIVERS\sacmxp2.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 08:13:51
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 8:23:31
ComboFix-quarantined-files.txt 2008-05-31 13:23:16
ComboFix2.txt 2008-05-30 16:03:59

Pre-Run: 1,449,377,792 bytes free
Post-Run: 1,508,945,920 bytes free

167 --- E O F --- 2008-05-29 20:41:38

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:25 AM

Posted 31 May 2008 - 05:31 PM

Hello Anasazi,

You didn't follow proper CFScript instructions.
You started ComboFix using CFScript.lnk,
the entries above in blue and bold should be saved in a txt.file, saved to your desktop,
and then dragged into ComboFix. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 Anasazi

Anasazi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:25 AM

Posted 01 June 2008 - 11:31 PM

ComboFix 08-05-29.1 - Anasazi James 2008-06-01 22:36:21.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.181 [GMT -5:00]Running from: C:\Documents and Settings\Crypto\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anasazi James\Desktop\CFScript.lnk
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-05-30 09:03 . 2008-05-30 09:03 <DIR> d-------- C:\WINDOWS\system32\N360_BACKUP
2008-05-29 09:33 . 2008-05-29 09:38 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-29 09:32 . 2008-05-29 09:33 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-05-29 08:23 . 2008-05-29 08:23 <DIR> d-------- C:\Documents and Settings\Anasazi James\Application Data\Malwarebytes
2008-05-29 08:22 . 2008-05-29 08:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 08:22 . 2008-05-29 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 08:22 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 08:22 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 16:31 . 2008-05-28 16:31 <DIR> d-------- C:\Deckard
2008-05-28 15:37 . 2008-05-28 15:37 3,078 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-28 15:27 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-28 15:27 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-28 15:27 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-28 15:27 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-28 15:27 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-28 15:27 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-28 15:27 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-28 15:27 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-28 14:49 . 2008-05-28 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 16:24 . 2008-05-26 16:24 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-26 16:24 . 2008-05-28 17:19 <DIR> d-------- C:\Program Files\Norton 360
2008-05-26 16:21 . 2008-05-26 16:27 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-26 16:21 . 2008-05-26 16:27 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-26 16:00 . 2008-05-26 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-05-26 15:30 . 2008-05-26 15:30 <DIR> d-------- C:\Documents and Settings\Anasazi James\Application Data\SiteAdvisor
2008-05-26 15:16 . 2008-05-26 15:16 19,751 --a------ C:\WINDOWS\yseba._sy
2008-05-26 15:16 . 2008-05-26 15:16 19,289 --a------ C:\Program Files\Common Files\vudig.dll
2008-05-26 15:16 . 2008-05-26 15:16 19,185 --a------ C:\Documents and Settings\Bikeman from Seattle\Application Data\uluwev.reg
2008-05-26 15:16 . 2008-05-26 15:16 18,301 --a------ C:\Program Files\Common Files\ryhubiwur.com
2008-05-26 15:16 . 2008-05-26 15:16 17,203 --a------ C:\WINDOWS\sujyzesor.scr
2008-05-26 15:16 . 2008-05-26 15:16 16,366 --a------ C:\Program Files\Common Files\zifasacivy.dat
2008-05-26 15:16 . 2008-05-26 15:16 15,131 --a------ C:\Program Files\Common Files\iletekumer.exe
2008-05-26 15:16 . 2008-05-26 15:16 13,610 --a------ C:\WINDOWS\boqewat.vbs
2008-05-26 15:16 . 2008-05-26 15:16 12,899 --a------ C:\Documents and Settings\All Users\Application Data\tety.vbs
2008-05-26 15:16 . 2008-05-26 15:16 12,857 --a------ C:\Documents and Settings\All Users\Application Data\esabofula.dll
2008-05-26 15:16 . 2008-05-26 15:16 11,149 --a------ C:\WINDOWS\system32\uxedaxe.sys
2008-05-26 15:16 . 2008-05-26 15:16 11,010 --a------ C:\WINDOWS\sanunijag.scr
2008-05-26 15:16 . 2008-05-26 15:16 10,210 --a------ C:\WINDOWS\hovos.vbs
2008-05-26 08:44 . 2008-05-26 08:44 <DIR> d-------- C:\Program Files\Microsoft Silverlight in the sky
2008-05-14 19:34 . 2008-05-14 19:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-14 19:34 . 2008-05-14 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 02:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-30 15:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-30 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 18:12 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-27 16:08 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-05-26 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 21:47 --------- d-----w C:\Documents and Settings\Anasazi James\Application Data\Symantec
2008-05-26 21:27 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-26 21:27 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-26 21:27 --------- d-----w C:\Program Files\Symantec
2008-05-26 21:19 --------- d-----w C:\Program Files\McAfee
2008-05-26 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-26 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-15 00:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 00:55 --------- d-----w C:\Program Files\Java
2008-04-27 15:20 --------- d-----w C:\Program Files\Real
2008-04-27 15:17 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-27 15:15 --------- d-----w C:\Program Files\Common Files\Real
2008-04-27 15:13 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-27 15:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-25 04:50 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
2001-12-15 02:56 17,408 --sha-w C:\Program Files\Thumbs.db
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-30_11.03.18.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 15:52:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 20:38:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 12:36:47 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_520.dat
+ 2008-06-02 00:49:57 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 03:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-18 07:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-11-19 06:40 1413120]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-18 07:00 31744 C:\WINDOWS\system32\rundll32.exe]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 13:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 07:07 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-03-23 15:47 1111040]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-27 10:12 185896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 14:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 09:50 988512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 17:02 152952]
"Symantec NetDriver Warning"="C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE" [2004-05-09 01:15 91256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2001-08-18 07:00 63488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 17:24:36 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 SonyFKC;FAN and Keyboard Control Service;C:\WINDOWS\System32\Drivers\SonyFKC.sys [2001-12-06 12:49]
R2 V7;V7;C:\WINDOWS\System32\drivers\V7.sys [2000-03-09 11:24]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys [2001-08-17 15:11]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);C:\WINDOWS\System32\Drivers\SMBE.SYS [2001-09-21 19:16]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;C:\WINDOWS\System32\DRIVERS\sacmxp2.sys []

*Newly Created Service* - COMHOST


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 22:41:40
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 22:48:32
ComboFix-quarantined-files.txt 2008-06-02 03:48:20
ComboFix2.txt 2008-05-31 13:23:34
ComboFix3.txt 2008-05-30 16:03:59

Pre-Run: 1,397,678,080 bytes free
Post-Run: 1,470,369,792 bytes free

165 --- E O F --- 2008-06-01 12:39:14

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:25 AM

Posted 02 June 2008 - 04:25 AM

Hello Anasazi,

You once more started ComboFix using CFScript.lnk :thumbsup:
That way malware will not be removed !!
ComboFix needs a text file to work properly.
Both saved on the desktop of the same account !

Copy the bald and blue text in an empty Notepad window,
click File > Save as, and save the file to your Desktop as CFScript.txt.
Make sure, BEFORE clicking the Save button, that "Save as type" is set to Text files (*.txt) !! :)
Then drag the txt file into ComboFix.
If properly done the header of the ComboFix log should read :

ComboFix 08-05-29.1 - Anasazi James 2008-06-.. ....4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.181 [GMT -5:00]Running from: C:\Documents and Settings\Anasazi James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anasazi James\Desktop\CFScript.txt

Greetings,
Thunder

Edited by Thunder, 02 June 2008 - 04:28 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:25 AM

Posted 30 June 2008 - 05:03 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users